Dear Network Engineers,
I need some advice with a problem. I use Carrier Gateway NAT on Cisco ASR1K to provide Internet access for customers. Some of them want to use PPTP to get access to the VPN-servers in the Internet. Main traffic's forwarded through NAT with the overload option enabled. It allows to translate multiple customers to the same global IP-address.
But PPTP doesn't work through "overloaded" NAT because sometimes control TCP-session to port 1723 and GRE-tunnel are translated to the different global IP-address and user can't be authenticated on the VPN-server. I tried to create additional global IP-addresses pool to translate PPTP traffic only (TCP/1723 and GRE) without overload option. It works fine till this pool become completely exhausted.
Someone permanently scans our global IP-addresses from the Internet looking for open exploits. Every translations captures packet from Internet every 1-2 minutes regardless customer is using this translation now or not. So "non-overloaded" translation is never become expired.
To solve this problem Cisco provides application layer (ALG) gateway features, but PPTP ALG doesn't work with CGN NAT. So I had to disable it.
How to fix this problem and to allow out customers to use PPTP though NAT?
Thank!